Table of Contents
What you will read?
Secure Shell (SSH) is a widely used protocol for secure remote management of servers and devices. By default, SSH operates on port 22, which makes it a common target for automated attacks like brute force login attempts. Changing the SSH port to a non-standard number is a simple but effective security measure to reduce the risk of unauthorized access.
On openSUSE, configuring a custom SSH port involves editing the SSH daemon’s configuration file and adjusting firewall rules to accommodate the new port. This change not only adds a layer of obscurity to your server’s access point but also minimizes exposure to automated scanners targeting the default port. With a few straightforward steps, openSUSE users can enhance their system’s security without compromising functionality.
Preliminary Steps
Before changing the SSH port on openSUSE, several preliminary steps are essential to ensure the process goes smoothly and securely. Start by confirming that SSH is installed and running on the server. This can be done using commands like systemctl status sshd to verify the service status. Next, make a backup of the SSH configuration file, typically located at /etc/ssh/sshd_config. This backup allows you to restore the original settings in case of an error during the configuration process.
It is also recommended to have an active terminal session that remains open throughout the changes to avoid being locked out of the server. Additionally, identify the specific port number you plan to use, ensuring it is not already in use by another application and falls outside the range of reserved ports (1-1024). Finally, check and note the existing firewall configuration to ensure you can add rules for the new SSH port later. These preparations are crucial for a seamless transition to a custom SSH port.
Commands for Locating and Editing sshd_config
To locate and edit the sshd_config file, execute the following commands step by step:
- Check if the file exists
ls /etc/ssh/sshd_config - Backup the original file
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak - Open the file for editing
Usingnano:sudo nano /etc/ssh/sshd_configOr using
vim:sudo vim /etc/ssh/sshd_config - Restart the SSH service after editing
sudo systemctl restart sshd
Updating the Port Number
To update the SSH port number in openSUSE, follow these steps carefully. Begin by editing the SSH configuration file located at /etc/ssh/sshd_config. Open the file using your preferred text editor, for example:
sudo nano /etc/ssh/sshd_configLocate the line containing #Port 22. This line is commented by default with the # symbol. Remove the # to uncomment the line and replace 22 with your desired port number. For instance:
Port 2222Save and close the file after making the changes. If you’re using nano, press Ctrl + O to save and Ctrl + X to exit.
Next, adjust the firewall rules to allow traffic on the new port. For example, if you are using firewalld, you can run:
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reloadFinally, restart the SSH service to apply the changes:
sudo systemctl restart sshdIt’s a good practice to verify that the new port is working before closing the current SSH session. Open a new terminal and connect to your server using the updated port:
ssh -p 2222 user@your_server_ipBenefits of Changing the Default SSH Port
Changing the default SSH port from 22 to a non-standard port provides several security and operational advantages. Firstly, it helps mitigate brute force attacks, as most automated scripts target port 22 by default. This simple step can significantly reduce the number of unauthorized login attempts visible in your logs. Secondly, it adds a layer of obscurity to your server, making it less likely to be detected by general network scans. While obscurity alone isn’t a robust security measure, it complements other defenses.
Operationally, using a custom port can prevent conflicts in environments where multiple SSH services are running or when port 22 is already in use by another application. Moreover, it allows administrators to implement stricter firewall rules by limiting access to the specific port, thus enhancing control over remote connections. This approach, combined with other security measures like key-based authentication, greatly improves the overall protection of your server.
Troubleshooting Common Issues
When changing the SSH port in openSUSE, you may encounter issues that prevent the new configuration from working as expected. Below are common problems and their solutions:
SSH Service Fails to Restart
If the SSH service doesn’t restart successfully after editing sshd_config, check for syntax errors in the configuration file. Use the following command to test the configuration:
sudo sshd -tThis will display any errors in the file that need correction.
Unable to Connect with the New Port
If the new port is inaccessible, verify that the firewall is configured correctly to allow traffic on the updated port. Use:
sudo firewall-cmd --list-portsEnsure the new port is listed. If not, add it again using:
sudo firewall-cmd --permanent --add-port=<port_number>/tcp
sudo firewall-cmd --reloadConnection Refused or Timeout
Check if another service is already using the new port. Use the following command to identify conflicting services:
sudo netstat -tuln | grep <port_number>If a conflict exists, choose another port and update the configuration.
Lost SSH Access
If you lose SSH access after changing the port, you can regain access using a direct console or a cloud provider’s recovery mode. Revert the changes in sshd_config or correct the issue and restart the SSH service.
SELinux Blocking the New Port
If SELinux is enabled, it may block the new SSH port. Use the following commands to allow the new port:
sudo semanage port -a -t ssh_port_t -p tcp <port_number>Logs for Debugging
Review the SSH logs for detailed information about any errors:
sudo journalctl -u sshdChanging the default SSH port in openSUSE is a simple but effective method to improve the security of your server. By altering the port, you reduce the chances of automated attacks targeting the default port 22. However, it is essential to follow the correct steps, including editing the sshd_config file, configuring your firewall, and restarting the SSH service for the changes to take effect.
